From b9328804349eb4ff249ae443a2788737487b65d7 Mon Sep 17 00:00:00 2001
From: CamilleBeau <51176779+CamilleBeau@users.noreply.github.com>
Date: Wed, 30 Nov 2022 15:21:10 -0500
Subject: [PATCH] [login] Add code sanitizer before dangerouslySetInnerHTML
 (#7491)

This adds DOMPurify to sanitize the code that is passed through dangerouslySetInnerHTML to avoid XSS vulnerabilities.
---
 modules/login/jsx/loginIndex.js | 5 ++++-
 package.json                    | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/login/jsx/loginIndex.js b/modules/login/jsx/loginIndex.js
index eaea88f58a5..326b9f2d610 100644
--- a/modules/login/jsx/loginIndex.js
+++ b/modules/login/jsx/loginIndex.js
@@ -5,6 +5,7 @@ import React, {Component} from 'react';
 import PropTypes from 'prop-types';
 import Loader from 'Loader';
 import Panel from 'Panel';
+import DOMPurify from 'dompurify';
 
 /**
  * Login form.
@@ -177,7 +178,9 @@ class Login extends Component {
     }
     if (this.state.mode === 'login') {
       const study = (
-        <div dangerouslySetInnerHTML={{__html: this.state.study.description}}/>
+        <div dangerouslySetInnerHTML={{
+          __html: DOMPurify.sanitize(this.state.study.description),
+        }}/>
       );
       const error = this.state.form.error.toggle ? (
         <StaticElement
diff --git a/package.json b/package.json
index a7f3599ad7f..b8e3caefe09 100644
--- a/package.json
+++ b/package.json
@@ -11,6 +11,7 @@
     "@babel/runtime": "^7.10.5",
     "@fortawesome/fontawesome-free": "^5.11.2",
     "copy-webpack-plugin": "^11.0.0",
+    "dompurify": "^2.2.9",
     "jstat": "^1.9.5",
     "papaparse": "^5.3.0",
     "prop-types": "^15.7.2",